COVID-19 Cyberwar: How to Protect Your Business

Research Insights COVID-19 cyberwar: How to protect your business

Attacks are escalating amid the pandemic— Our step-by-step security guide for action now How can IBM help

If you are experiencing cybersecurity issues or an incident, contact X-Force IRIS to help: US hotline 1-888-241-9812 Global hotline (+001) 312-212-8034

Additional information can be found here: https://www.ibm.com/security/covid-19 By Wendi Whitmore and Gerald Parham

Key takeaways Learning from extreme events COVID-19 and cybercrime In recent weeks, cybersecurity threats have escalated, as bad actors take advantage of the COVID-19 pandemic. While the world struggles with the impacts While organizations worry about newly pressing of COVID-19, cybercriminals see it as an concerns—workforce well-being, finance availability, opportunity. Since February, IBM X-Force and the resiliency of operations and supply chains— cybersecurity focus is being overshadowed and risks has observed a 4,300 percent increase are rising. in coronavirus-themed spam. Action: Run simulations that model the most likely The tendency toward ad hoc decision making during crises only accelerates the opportunity to exfiltrate data or threat to mitigate any vulnerabilities now. compromise business operations. The potential impacts are more dangerous, too. A distributed denial-of-service Improvising amid chaos (DDoS) attack, for instance, can be far more damaging Organizations that were insufficiently in an operational environment that is already strained for capacity than one launched when additional capacity is prepared in normal times have been readily available. caught completely off guard. In fact, 76 percent of organizations don’t have an In this report, we identify key steps security leaders can take now to manage discrete, high-impact events that incident response plan applied consistently may arise in this environment and to prepare for additional across the organization, according to a unforeseen scenarios. Every cybersecurity crisis has a 2019 report.1 Action: Create or update three-part lifecycle: a Cybersecurity Incident Response Plan – Planning and detection (CSIRP). – In-the-moment response and remediation – Recovery. Managing through disruption During times of crisis, business continuity The first step is for leaders to identify where they are in that lifecycle and prioritize their actions accordingly. planning becomes a major strategic asset. We have created recommended actions for each phase Even organizations that are unprepared can as a guide. In particular, the current pandemic environment take steps to mitigate the impacts and use demands increased attention to response and remediation. Drawing on lessons learned from incident response drills the experience for future crisis planning. in security operations centers (SOCs) and cyber ranges Action: Observe, orient, decide, and act in (virtual environments for testing security capabilities), rapid cycles. we have found that highly resilient organizations do three things well: organize and deploy resources, communicate regularly, and coordinate responses.

1 COVID-19’s impact on the 50+ cybersecurity landscape unique malware distributed During 2020, business has changed radically for nearly in various COVID-19-themed every organization around the globe. As the number of campaigns2 COVID-19 cases grows and the rate of transmission accelerates in some areas and abates in others, the operations landscape evolves daily–sometimes hourly. The magnitude of impact is unprecedented.

1 in 4 Opportunistic threat actors organizations don’t have Since February when the outbreak went global, an incident response plan3 IBM X-Force has observed a 4,300 percent increase in coronavirus-themed spam. Cybercriminals are using the coronavirus outbreak to drive their business, with virus-themed sales of malware assets on the dark web #1 and even virus-related discount codes.5 They are also The combined effect of an rapidly creating domains: COVID-19-related domains incident response (IR) team are 50 percent more likely to be malicious than other domains registered during the same time period.6 and IR plan testing produces greater cost savings than any Numerous phishing scams have emerged. For example, other security remediation IBM’s X-Force Exchange is tracking a spam email that takes advantage of small business owners hoping to process4 secure loans from the US Small Business Administration. Instead of providing help, an attachment installs a Remote Access Trojan (RAT). Another high-volume spam campaign threatens to infect recipients and their families with COVID-19 if they do not pay a ransom in bitcoin.7

A number of other scams imply association with legitimate health organizations. One email phishing attack purports being from the World Health Organization (WHO) director- general. Attached to the email are documents that install an Agent Tesla malware variant that acts as a keylogger and info-stealer.8 A similar attack uses the US Centers for Disease Control and Prevention (CDC) as a lure.9 The IBM X-Force COVID-19 security bulletins, which consolidate a collection of threat actors and COVID-19 exploits, identify hundreds of examples.10

Reports suggest nation-state actors could be using the pandemic to make forays into US public health agencies, notably the US Department of Health and Human Services.11 As Ben Sasse, a member of the US Senate Intelligence Committee, observed, “Here’s the reality of 21st century conflict: cyberattacks are massive weapons to kick opponents when they’re down.”12

2 Insight: Cybercrime damages The new risks of remote work The rapid shift to remote work has also opened new public confidence loopholes for cybercriminals to exploit. According to Cybercrime is built on threat actors’ abilities to The New York Times, as of the first week of April 2020, exploit fear, anxiety, and uncertainty, sentiments 316 million people in the US were being urged to stay 15 magnified during a pandemic. Compounding personal home. The global figures are orders of magnitude higher. concerns, livelihoods of individuals and businesses India’s shelter-in-place guidelines, for example, extend 16 are disrupted in unpredictable ways. As a World restrictions to 1.3 billion people. Economic Forum bulletin noted, society’s increased Many of those staying home are also working from home. reliance on digital infrastructure raises the cost of Yet, many displaced workers lack the secure equipment failure.13 This public health pandemic imposes both or protocols that enable digital safety. With newly remote social and economic costs, affecting individuals in employees accessing corporate networks via personal unique and profound ways. High-value assets (HVAs) devices, hackers are probing Wi-Fi configurations and VPN are particularly vulnerable to attack. Defined by the connections for security vulnerabilities. And as people US Cybersecurity and Infrastructure Security Agency congregate on cloud-based productivity platforms—both (CISA) as “information or systems so critical that for work and personal reasons—malicious actors are their loss or corruption would seriously affect an launching schemes to exploit the situation, including organization’s ability to perform its mission or hacking into and disrupting live meetings.17 conduct business,” HVAs are especially enticing for cybercriminals looking to damage public confidence Employees aren’t the only ones who are unprepared—so in an organization.14 are organizations. In a recent online poll by Threatpost, 70 percent of respondents said enabling remote working is fairly new for their organizations. And 40 percent reported seeing increased cyberattacks as they enable remote working.18 As US Senator Mark Warner wrote in an email, “As the federal government prepares for what is likely to be an unprecedented experiment in telework, it’s also expanding opportunities for malicious actors to attack and potentially disrupt vital government services.”19

The potential for continued disruption during this pandemic is high and requires crisis response leaders to maintain constant vigilance and organizational agility.

3 Highly resilient organizations marshal resources, communicate efficiently, and coordinate responses.

The importance of making quick decisions The OODA loop encourages iteration (see Figure 1). If you can go through it faster than whatever you’re remediating, During a crisis, executives and members of security you gain an advantage. By accelerating response, you can teams need to filter available information to quickly harmonize efforts with the broader team. No decision has make optimal decisions. Borrowing principles originally to be final. Making small mistakes is often better than developed by military strategists, organizations benefit taking no action at all. from incorporating tactical operations techniques such as “observe, orient, decide, and act,” also known as the OODA loop.20

Figure 1 Observe, Orient, Decide, Act (OODA) Loop

Unfolding circumstances Outside Observe Orient Decide Act information Unfolding interaction with Observations History, culture, analysis and Decision Action environment synthesis, previous experiences, (hypothesis) (test) and new information

Feedback

Source: “OODA loop.” Wikipedia, accessed April 1, 2020. https://en.wikipedia.org/wiki/OODA_loop

4 Creating an incident Insight: Anatomy of a CSIRP response plan A Cybersecurity Incident Response Plan (CSIRP) typically includes the following information: Most organizations are ill-equipped to handle a major cybersecurity incident, much less amid a global crisis like – How to qualify and classify a crisis event COVID-19. A recent study from the Ponemon Institute – Roles and responsibilities of internal and external found that 76 percent of organizations don’t have an team members, including a hierarchical view that incident response plan applied consistently across the summarizes decision-making authority and organization. One in four organizations report not having escalations any Cybersecurity Incident Response Plan (CSIRP) – A crisis communications plan for communicating whatsoever.21 with internal and external stakeholders An effective CSIRP outlines governance and communi- – An inventory of the organization’s HVAs and mission cations practices across teams (see “Insight: Anatomy of critical capabilities, along with the critical support a CSIRP”). It also defines response models and details services that enable these crisis response roles and responsibilities across the – Regulatory and disclosure requirements related to organization, such as strategy, technology, operations, the above and community and government relations. Any organization without a CSIRP in place should be racing to – An inventory of supplemental operations support implement one. With breach notification laws and capabilities like threat remediation services and regulations getting stricter around the world even prior threat intelligence sharing with community/ to the COVID-19 pandemic, business continuity planning computer emergency response/readiness teams is a long-term strategic capability that can prepare an (CERTs), federal law enforcement, or other groups. organization for a host of unexpected contingencies.

But even if your organization has a CSIRP in place, there are steps you can take now to reinforce it for COVID-19’s particular risks. Crisis management plans vary based on the nature and scope of the threat, the type and size of an organization, and variances in regulatory requirements related to disclosures, data privacy, and data locality. As organizations learn more, they can adapt the CSIRP and apply those lessons quickly.

5 Making small mistakes is often better than taking no action at all.

The crisis lifecycle, phase 1: Most important, organizations without a CSIRP should create one. Leaders that have already been through that Steady state/planning stage of planning should take the opportunity now to evaluate the CSIRP for any gaps based on their COVID-19 As the COVID-19 crisis unfolds, organizations that have security posture. Even when a “black swan” event trans- yet to experience a cyber threat still have the luxury of forms into a longer-term reality, such as with COVID-19, time – they should use it wisely. (See Figure 2.) there are options.22 The key is to find ways to improve those options and buy time to make better decisions.

Figure 2 The crisis lifecycle

Before During After Restoration

Escalation Stabilization Recovery

OODA loop for mitigation N+2

OODA loop for mitigation N+1 Business impact OODA loop for mitigation N

Milestone Leadership decision

Detection Response period with Recovery period varies OODA mitigation loops based on resilience

Time Governance loop

Steady state operations Incident response and crisis ops Recovery ops Agility – Insights – Incident response – Lessons learned and – Planning – Triage, discovery, forensics after-action report – Simulation – Crisis communications – Post-crisis communications – Prevention – Collaboration – Leadership review – Stakeholder management – Improvement plan Adaptability – Model updates

Learning loop Source: IBM Institute for Business Value analysis.

6 An organization’s ability to execute amid disaster can Phase 1: Actions to take be refined using simulations. While there’s no substitute for real-life, hands-on experience, simulations with Align operations, practice, and refine drills and repetition are useful to discover any gaps in risk the playbook management and risk mitigation models. The more teams practice, the more they know what to anticipate and how 1. Build the plan and the team. Create a CSIRP that is regularly they will respond during actual security events. Teams can updated to reflect the current operating environment. Validate see variables and dependencies unfold in real time, model and test crisis alert rosters to complete your team membership. their responses, and continue to improve. Consider semi-annual or quarterly plan updates and crisis response drills, especially in larger organizations with frequent Defining risk management personnel changes. Cyber resilience is an organization’s ability to prevent, 2. Transform decision making into an agile practice. Previously respond to, and recover from a cyberattack as well as developed and tested processes and procedures should allow sustain the integrity of internal and external operations. for quick decision making by the key stakeholders working the The three core concerns are threats, vulnerabilities, response plan. Key leaders should have the authority to make and risk: important decisions without having to go through a lengthy – Threat: Anything that can exploit a vulnerability, approval process. intentionally or accidentally, and commandeer, damage, 3. Remove dependencies and extend visibility in all directions. or destroy an information or operational asset. These The availability and integrity of the supply chain is an often- are discrete tactics or events. overlooked risk vector. Mandate transparency mechanisms to – Vulnerability: Weaknesses or gaps in a security program remove friction, expedite decision making, and maintain supplier that can be exploited by a threat to gain unauthorized independence. Consider procurement dependencies (by geography access to an asset. or supplier) and find alternative sources to maintain business – Risk: The potential for loss, damage, or destruction as operations. Re-examine provider/supplier contracts for force a result of a threat acting upon a vulnerability.23 majeure (including unavoidable, major accident) clauses. Examine supply chain networks for fourth-party and “n-party” risk. The challenge, particularly in the age of COVID-19, is that risks are dynamic, emergent, and unpredictable—yet often 4. Make the plan real. Tabletop exercises and breach simulations interdependent. Risk management involves identifying are an effective way to validate the process and procedures for threats and modeling the magnitude of operational impact each of the key functions of your cyber crisis management plan. in conjunction with the likelihood or probability of occur- On a regular basis, conduct full-scale simulation exercises to rence. That’s why crisis response requires collaboration stress-test teams, leadership, and communications. The ultimate among cybersecurity, technology, and operations—a goal is training the team to “build the muscle memory” to respond cross-functional (and increasingly cross-organizational) effectively, much like first-responder or military teams. Crisis activity. planning needs to accommodate a spectrum of operational disruption and social impacts, which require different approaches When risks become real, teams need to shift opera- to crisis mitigation and response. tions from planning and modeling to incident response, disaster recovery, and business continuity. Most impor- 5. Learn from mistakes. Failure during crisis simulation is tantly, it is imperative that plan/simulation processes are infinitely more valuable—and less costly—than failure during an the same as action/response processes. The ability to actual crisis. Recognize how failure modes are exacerbated by make decisions quickly and collaboratively often rep- systemic dependencies, outdated assumptions, or decision- resents the difference between success and failure. making bias. Make the unexpected a part of every drill to learn how to balance standard practice and crisis governance with the team’s capacity for collaborative problem solving and ingenuity.

7 The crisis lifecycle, phase 2: Phase 2: Actions to take Incident response Run the playbook, adapt, and collaborate Despite thorough plans and preparation, a crisis, by definition, strikes in unanticipated ways. When it affects organizations indiscriminately—as with the COVID-19 pandemic—systemic 1. Accept that perfection doesn’t exist—stay in the moment. failure is a real possibility. In times of systemic risk, an organiza- Recognize that triage is necessary and initial outcomes may be tion’s routine operational capabilities may be identified as sub-optimal. “Observe, orient, decide, and act” in rapid cycles essential to critical infrastructure, requiring significant adjust- to get ahead of the situation. Break complex problems down into ments to steady state operations. their constituent parts.

When an actual crisis arises, teams that have used simulation 2. Minimize cognitive loads. Keep team members in synch drills to update response plans and refine abilities typically using standardized terminology and communication protocols fare better. Because teams know what to do, leaders can that expedite discovery and assessment. Filter information and observe how a situation is evolving. They can then make represent variables as simply and directly as possible. Use visuals decisions and redirect when needed to protect the safety of to illustrate key relationships and dependencies. employees, customers, and other stakeholders; protect data 3. Lead by example. Leaders combine soft and hard skills. integrity; and respond to events in ways that help alleviate Demonstrate consideration and empathy, as well as technical the particular crisis. acumen. As circumstances change, model the right mix of action If crisis strikes indiscriminately and causes significant social and analysis. Encourage team members to be vigilant about the disruption, organizations need to use operational resources in distinction between fact and opinion. new ways to provide aid and restore confidence. With proper planning, response plans can factor in a broad range of vari- 4. Prioritize teamwork—not heroism or self-sacrifice. Take an ables and help leaders choose responses that bolster goodwill, inventory of the team’s strengths and leverage the diversity of the integrity, and trust. team. Assign responsibilities based on curiosity and ability. Make partners as enfranchised and accountable as core team members. Crisis operations Use the big picture to inspire, not overwhelm.

Striking the right balance between governance and ingenuity is 5. Communicate honestly and transparently, especially with crucial to crisis resolution. Establishing governance guidelines senior leaders and stakeholders. Be disciplined in defining the for critical communications can pave the way for more creative threat to the business in concrete terms. Which measures suggest problem solving and collaboration for more intractable crisis progress? Would more specialized resources, more budget, or mitigation efforts. While problems might seem technical, more time make a difference? How is this crisis similar to (and almost invariably the solutions involve human sensibilities and different from) others? What variables are making the situation teamwork. worse (or better)? Know when a decision should be escalated When a security breach or cyberattack occurs, executives and prepare a set of options and expected outcomes. must quickly instill confidence in their customers and other stakeholders that they’re doing everything possible to solve the problem. For many leaders in the C-suite, this type of fast, intuitive response doesn’t come naturally. Although they might know what to do technically to manage a breach, they often aren’t prepared to cope with the human side of the equation.

In mid-crisis, the playbook and simulations will enable everyone—from the security team to communications and PR professionals to the CEO—to understand their role and take appropriate action with the right mix of hard and soft skills that enable the team to get ahead of the problem.

8 The crisis lifecycle, Phase 3: Phase 3: Actions to take Recovery and improvement Invest in new capabilities to make the business more resilient and adaptable Some security experts suggest the COVID-19 pandemic might be instructive for future cyberattacks that could cause social disruption on similarly massive scales.24 1. Implement security telemetry and analytics. Early detection As Brian Finch writes in an op-ed for The Hill, “Cyber and response start with automated data collection capabilities. thinkers in Washington would do well then to carefully With modern telemetry and log file capture solutions, attack study any successful measures used to mitigate the vectors can be modeled, signatures created, and breaches financial impact caused by COVID-19. Doing so will re-created—even after the fact. help prevent unnecessary scrambling and jury-rigged 2. Develop security automation capabilities. By enabling solutions when the inevitable cyber pandemic arrives.”25 security automation, specialists can focus on threats that COVID-19 has certainly put the world on notice. As with require deeper analysis. According to Ponemon, investments in any great upheaval, some of the lessons learned can be automation can pay for themselves: organizations that had not used to improve future responses. One thing seems deployed security automation experienced breach costs that certain: the ability to communicate, coordinate, and were 95 percent higher than breaches at organizations with fully collaborate—as much as the ability to command and deployed automation (USD 5.16 million without automation control—will win the day. versus USD 2.65 million for fully deployed automation).27

With some combination of avoidance and prevention, 3. Consume and contribute to threat intelligence. Cloud-based incident response drills, and simulations, security security services monitor traffic over an operational footprint leaders can gain both greater confidence in their ability far larger than any single organization. Contributing threat to withstand moments of crisis and the conviction that intelligence data enhances cyber-resilience for all organizations, comes from operating with integrity. According to while consuming threat intelligence insights expedites threat Chris Pierson, CEO of cybersecurity firm BlackCloak, detection and response.28 “Cybercriminals are not taking a break during this global pandemic and neither will the defenders or their suppliers, 4. Prioritize collaboration and continuous learning. Cyber so I think the outlook is extremely positive.”26 resilient organizations operate in a continuous cycle of discovery, learning, adaptation, and iteration. In times of crisis, effective threat remediation comes down to the ability of individuals to work together on complex, often intractable, problems.29

5. Raise security awareness. Cyber resilient organizations prioritize security as a strategic capability across the enterprise. This prioritization is lacking for many organizations: Our 2019 cyber resiliency study with Ponemon revealed that only 25 percent of respondents rate their organizations’ cyber resilience as high— and only 31 percent rate their ability to recover from a cyberattack as high.30

9 About the authors Wendi Whitmore Gerald Parham Vice President, X-Force Threat Security and CIO Research Leader, Intelligence, IBM Security IBM Institute for Business Value [email protected] [email protected] linkedin.com/in/wendiwhitmore2 linkedin.com/in/gerryparham/ @wendiwhitmore

Wendi Whitmore is the Vice President of IBM X-Force Gerald Parham is the Global Research Leader for Security Threat Intelligence and a recognized voice of expertise in & CIO for the IBM Institute for Business Value. Gerald’s the cybersecurity realm. She has over a decade and a half research focuses on the cyber lifecycle and cyber value of diverse experience in incident response, proactive and chains, in particular the relationship between strategy, strategic information security services, intelligence, and risk, security operations, identity, privacy, and trust. data breach investigations with clients from virtually every He has more than 20 years of experience in executive sector and geography. leadership, innovation, and intellectual property development.

10 The right partner for Related reports a changing world “COVID-19 Action Guide” ibm.co/covid-19-action-guide At IBM, we collaborate with our clients, bringing together business insight, advanced research, and “A CIO’s guide to extreme challenges” technology to give them a distinct advantage in today’s ibm.co/cio-guide-challenges rapidly changing environment. “How CISOs can secure a strategic partnership” ibm.com/thought-leadership/institute-business-value/ IBM Institute for report/ciso-strategic-partnership Business Value

The IBM Institute for Business Value, part of IBM Services, develops fact-based, strategic insights for senior business executives on critical public and private sector issues. For more information

To learn more about this study or the IBM Institute for Business Value, please contact us at [email protected]. Follow @IBMIBV on Twitter, and, for a full catalog of our research or to subscribe to our monthly newsletter, visit: ibm.com/ibv.

11 Notes and sources 8 “Covid-19 Drug Advice From The WHO Spoofed to Distribute Agent Tesla Info-Stealer.” IBM X-Force 1 “The 2019 Cyber Resilient Organization.” Ponemon Threat Intelligence. IBM X-Force Exchange. https:// Institute and IBM. 2019. https://www.ibm.com/ exchange.xforce.ibmcloud.com/collection/Covid-19- downloads/cas/GAVGOVNV Drug-Advice-From-The-WHO-Disguised-As- HawkEye-Info-Stealer-2f9a23ad901ad94a86687319 2 XF-IRIS internal data analysis. Additional COVID-19 32ab5826 data insights are available at https://exchange.xforce. ibmcloud.com/collection/Threat-Actors-Capitalizing-on- 9 Vergelis, Maria. “Coronavirus phishing.” Kaspersky COVID-19-f812020e3eddbd09a0294969721643fe Daily. February 7, 2020. https://www.kaspersky.com/ blog/coronavirus-phishing/32395/ 3 “The 2019 Cyber Resilient Organization.” Ponemon Institute and IBM. 2019. https://www.ibm.com/ 10 Whitmore, Wendi. “IBM X-Force Threat Intelligence downloads/cas/GAVGOVNV Cybersecurity Brief: Novel Coronavirus (COVID-19).” March 17, 2020. https://securityintelligence.com/ 4 “2019 Cost of Data Breach Study: Global Analysis.” posts/ibm-x-force-threat-intelligence- Ponemon Institute. Benchmark research sponsored cybersecurity-brief-novel-coronavirus-covid-19/ by IBM independently conducted by Ponemon Institute LLC. 2019. https://www.ibm.com/ 11 Stein, Shira, and Jennifer Jacobs. “Cyber-Attack Hits downloads/cas/ZBZLY7KL U.S. Health Agency Amid Covid-19 Outbreak.” Bloomberg. March 16, 2020. https://www.bloomberg. 5 Whitney, Lance. “Cybercriminals exploiting com/news/articles/2020-03-16/u-s-health- coronavirus outbreak with virus-themed sales on the agency-suffers-cyber-attack-during-covid-19- dark web.” TechRepublic. March 19, 2020. https:// response www.techrepublic.com/article/cybercriminals-exploiting- coronavirus-outbreak-with-virus-themed-sales-on- 12 Miller, Maggie. “Top US health agency suffers the-dark-web/ cyberattack.” The Hill. March 16, 2020. https://thehill. com/policy/cybersecurity/487756-top-us- 6 “Update: Coronavirus-themed domains 50% more health-agency-suffers-cyberattack-report likely to be malicious than other domains.” Check Point blog post, accessed March 27, 2020. https:// 13 Pipikaite, Algirde, and Nicholas Davis. “Why blog.checkpoint.com/2020/03/05/update-coronavirus- cybersecurity matters more than ever during the themed-domains-50-more-likely-to-be-malicious- coronavirus pandemic.” World Economic Forum. than-other-domains/ March 17, 2020. https://www.weforum.org/ agenda/2020/03/coronavirus- 7 “U.S Small Business Administration Spoofed In pandemiccybersecurity/ Remcos RAT Campaign.” IBM X-Force Threat Intelligence. IBM X-Force Exchange. https://exchange. 14 “CISA Insights.” US Cybersecurity and Infrastructure xforce.ibmcloud.com/collection/Small-Businesses- Security Agency website, accessed March 29, 2020. Seeking-Disaster-Assistance-Targeted-By-Remcos- https://www.cisa.gov/insights Infostealer-e8b9f4f5e9d8c98f51e2ee09ac632ef8; “Holding Your Health For Ransom: Extortions On The Rise.” IBM X-Force Threat Intelligence. IBM X-Force Exchange. https://exchange.xforce.ibmcloud.com/ collection/Holding-Your-Health-For-Ransom- Extortions-On-The-Rise-1fc43fac1cf1b72a4245f010 7da283e3

12 15 Mervosh, Sarah, Denise Lu, and Vanessa Swales. “See 23 “Threat, vulnerability, risk—commonly mixed up Which States and Cities Have Told Residents to Stay at terms.” Threat analysis Group website, accessed Home.” The New York Times. March 29, 2020. https:// April 1, 2020. https://www.threatanalysis. www.nytimes.com/interactive/2020/us/coronavirus- com/2010/05/03/threat-vulnerability-risk-commonly stay-at-home-order.html -mixed-up-terms/

16 Gettleman, Jeffrey, and Kai Schultz. “Modi Orders 24 Kallberg, Jan, and Col. Stephen Hamilton. “What 3-Week Total Lockdown for All 1.3 Billion Indians.” COVID-19 can teach us about cyber resilience.” Fifth The New York Times. March 24, 2020. https://www. Domain. March 2020. https://www.fifthdomain.com/ nytimes.com/2020/03/24/world/asia/india- opinion/2020/03/23/what-covid-19-can-teach-us- coronavirus-lockdown.html about-cyber-resilience/

17 Miller, Maggie. “Zoom vulnerabilities draw new 25 Finch, Brian. “Cyber planners should be carefully scrutiny amid coronavirus fallout.” The Hill. April 2, watching the coronavirus.” The Hill. March 2, 2020. 2020. https://thehill.com/policy/cybersecurity/ https://thehill.com/opinion/cybersecurity/485391-cyber- 490685-zoom-vulnerabilities-exposed-as-meetings- planners-should-be-carefully-watching-the- move-online coronavirus

18 Seals, Tara. “Coronavirus Poll Results: Cyberattacks 26 Ferguson, Scott. “Cybersecurity Sector Faces Ramp Up, WFH Prep Uneven.” Threatpost. March 19, Reckoning After Coronavirus Hits.” BankInfoSecurity. 2020. https://threatpost.com/coronavirus-poll- March 10, 2020. https://www.bankinfosecurity.com/ cyberattacks-work-from-home/153958/ coronavirus-hits-wall-street-cyber-survive- slide-a-13913 19 “Federal employees may soon be ordered to work from home.” The Washington Post. March 13, 2020. 27 “2019 Cost of Data Breach Study: Global Analysis.” Ponemon Institute. Benchmark research sponsored 20 “OODA loop.” Wikipedia, accessed April 1, 2020. by IBM independently conducted by Ponemon https://en.wikipedia.org/wiki/OODA_loop Institute LLC. 2019. https://www.ibm.com/ downloads/cas/ZBZLY7KL 21 “The 2019 Cyber Resilient Organization.” Ponemon Institute and IBM. 2019. https://www.ibm.com/ 28 For example, the annual IBM X-Force Threat downloads/cas/GAVGOVNV Intelligence Index. https://www.ibm.com/security/ data-breach/threat-intelligence 22 Black swan events describe entirely unexpected situations outside the realm of normal expectation 29 “High-Stakes Hiring: Selecting the Right Cybersecurity that have extreme consequences. Taleb, Nassim Talent to Keep Your Organization Safe.” IBM Smarter Nicholas. “The Black Swan: The impact of the highly Workforce Institute. 2018. https://www.ibm.com/ improbable.” 2007. downloads/cas/X47BR759

30 “The 2019 Cyber Resilient Organization.” Ponemon Institute and IBM. 2019. https://www.ibm.com/ downloads/cas/GAVGOVNV

About Research Insights © Copyright IBM Corporation 2020 IBM Corporation Research insights are fact-based strategic insights for New Orchard Road business executives on critical public and private sector Armonk, NY 10504 issues. They are based on findings from analysis of our Produced in the United States of America own primary research studies. For more information, April 2020 contact the IBM Institute for Business Value at [email protected]. IBM, the IBM logo, ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at: ibm.com/legal/copytrade.shtml. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON- INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. This report is intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. IBM shall not be responsible for any loss whatsoever sustained by any organization or person who relies on this publication.

The data used in this report may be derived from third-party sources and IBM does not independently verify, validate or audit such data. The results from the use of such data are provided on an “as is” basis and IBM makes no representations or warranties, express or implied.

44031444USEN-01